noms.exe high CPU usage (what is this process?)

5

1

I recently discovered process called noms.exe running and maxing out one CPU core on the machine.

I have done all the usual steps trying to collect the information about the process and was surprised by how little I could find out.

So what I know so far:

  1. filename: noms.exe
  2. location: c:\windows\geianoms\noms.exe
  3. company name (as reported by Process Explorer): CBTS (*I have no clue what is this company and what does CBTS stand for. Quick internet search did not give me any clues)
  4. The executable is running as a service. Yet the service name is not descriptive at all, it literally says "noms". The description section of the service is empty (?suspicious?)
  5. It does not seem to be a part of antivirus package. System has McAfee installed and all McAfee executable are easily identifiable.
  6. I seriously doubt that it is an OS component as it is not labeled by Microsoft.
  7. Description in Process Explorer says "NOMS client 64-bit"
  8. Process is permanently stuck in "Wait:UserRequest" state
  9. Working set of the process does not seem to be growing over time
  10. Process consumes 100% of one CPU core
  11. "noms" service is set to manual start in windows services. So it must have been started from somewhere
  12. Search in system registry does not reveal anything except for the actual service record and antivirus + firewall exceptions

Search on the internet for "noms.exe" and "geianoms" keywords did not produce any helpful results except for the fact that someone else has searched for similar/identical file.

Does anyone has any clue what that could be? Any advice would be appreciated.

Art Gertner

Posted 2015-12-07T10:39:19.267

Reputation: 6 417

You already got Process Explorer, great. Now go to Options > VirusTotal.com > tick Check VirusTotal.com. Now you can submit the executable to analysis in process properties. If you don't have this option, update your Process Explorer

– Vlastimil Ovčáčík – 2015-12-07T12:49:21.427

3

Are you using evernote (it has a noms client)? See https://github.com/evernote/noms-client/wiki

– DavidPostill – 2015-12-07T13:19:55.843

@VlastimilOvčáčík, I did run the check with VirusTotal and with McAfee first thing. The file is clean. This is not my concern at the moment. I am sure it is not a virus. I am however very concerned with the fact that there is service that I don't know anything about and it maxes out the CPU resulting in poor performance of other services. I would like to ideally find out what it is and where it came from before disabling the service. – Art Gertner – 2015-12-07T13:23:34.980

1@DavidPostill, thanks for a valuable clue. The machine does not have evernote installed, but I will look into the source you have linked. – Art Gertner – 2015-12-07T13:25:51.757

1It looks like a product of CBTS Software LLC of Ohio, a subsidiary of Cincinnati Bell. – Chenmunka – 2015-12-15T14:32:46.900

@Chenmunka, can you provide any additional info / link about about that product? – Art Gertner – 2015-12-15T15:07:24.553

1Not yet - I'm flummoxed by it too. If I'd had more I'd have posted it as an answer. – Chenmunka – 2015-12-15T15:09:29.670

Ok, keep an eye on the post. If I will find a solution, I will share it. – Art Gertner – 2015-12-15T15:27:23.293

Answers

3

NOMS stands for Network Object Malware Scanner.

It is product of CBTS and is provided as part of a corporate security system. So the programme is installed on your PC by your corporate IT department.

It is intended to protect the company from dodgy downloads or websites. Which is a different target to the likes of McAfee, which you mention in your question.

The executable was updated a couple of days ago and seems now to use less CPU time, although it still runs at a pretty constant 10%.

The exe is obviously kept protected to stop people like you and I stopping it from running.

Screenshot of EXE Properties

Chenmunka

Posted 2015-12-07T10:39:19.267

Reputation: 3 019

Asked: 2015-12-07T10:39:19.267

Viewed: 1 370 times

Active: 2016-02-18T14:16:27.150